Tuesday, 26 June 2007

stock spam evolve: new syle pdfs

Spammers have now come up with a new style of stock emails.

First they used just plain text, next they used static image files. Next, they used random image files, all to avoid filtering.

Due to people starting to use FuzzyOcr, the stock spammers, moved into pdfs.

The pdfs contained plain text, which again using the right tools can be filtered.

This morning, the "next generation" appeared; pdf's with random images embedded in the pdf :(

Firstly, here's the email you receive:

Pdf example 1:

Pdf example 2:

Interestingly, both pdfs would not open in a couple of the free pdf readers but they seem to open fine in Adobe Pdf reader.

Initial detection of this varient has been added as: Email.Stk.Gen538.Sanesecurity.07062600.pdf

Update (12:45): more new varients using random pdf filenames now!

Pdf example 3:

Pdf example 4:

Pdf example 5:

1 comment:

Anonymous said...

There's also an additional issue, the default spamassassin scan size is 250k and these pdfs are about 400-450k (the ones I've seen) which spamassassin lets them pass through. It's trivial to fix, but the issue is that they pass through a default instgall